CVE-2021-39908

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2021-39908
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-39908.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-39908
Aliases
Downstream
Published
2022-04-01T23:15:10.407Z
Modified
2026-04-10T04:37:33.558408Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

In all versions of GitLab CE/EE starting from 0.8.0 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 certain Unicode characters can be abused to commit malicious code into projects without being noticed in merge request or source code viewer UI.

References

Affected packages

Git / gitlab.com/gitlab-org/gitlab

Affected ranges

Type
GIT
Repo
https://gitlab.com/gitlab-org/gitlab
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
9ed95b96a6766af9336048a63a29b678f88a9413
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
9ed95b96a6766af9336048a63a29b678f88a9413
Introduced
dec73e99fddac59c0bf816dc4bffd2a30abae6de
Fixed
3e776d83389c706fb81973736e57ca6a6fb952fc
Introduced
dec73e99fddac59c0bf816dc4bffd2a30abae6de
Fixed
3e776d83389c706fb81973736e57ca6a6fb952fc
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
19c719febd74b6edf549bf6a2c0e36bf8f176d56
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
19c719febd74b6edf549bf6a2c0e36bf8f176d56
Database specific 
{
    "versions": [
        {
            "introduced": "0.8.0"
        },
        {
            "fixed": "14.2.6"
        },
        {
            "introduced": "0.8.0"
        },
        {
            "fixed": "14.2.6"
        },
        {
            "introduced": "14.3.0"
        },
        {
            "fixed": "14.3.4"
        },
        {
            "introduced": "14.3.0"
        },
        {
            "fixed": "14.3.4"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "14.4.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "14.4.0"
        }
    ]
}

Affected versions

Other
11-10-0cfa69752d8-0d9531c80-ee
11-10-0cfa69752d8-74ffd66ae-ee
11-10-119f9509d50-6d7537235-ee
v1.*
v1.2.0
v1.2.0pre
v1.2.1
v1.2.2
v14.*
v14.2.0-ee
v14.2.0-rc42-ee
v14.2.1-ee
v14.2.3-ee
v14.2.4-ee
v14.3.0-ee
v14.3.2-ee
v14.3.3-ee
v14.4.0-ee
v14.4.0-rc42-ee
v14.4.0-rc43-ee
v14.4.0-rc44-ee
v14.4.0-rc45-ee
v2.*
v2.3.0
v2.3.0pre
v2.3.1
v2.4.0
v2.4.0pre
v2.4.1
v2.5.0
v2.6.0
v2.6.0pre
v2.6.1
v2.6.2
v2.6.3
v2.7.0
v2.7.0pre
v2.8.0
v2.8.0pre
v2.8.1
v2.8.2
v2.9.0
v2.9.1
v3.*
v3.0.0
v3.0.1
v3.0.2
v3.0.3
v3.1.0
v4.*
v4.0.0
v4.0.0rc1
v4.0.0rc2
v5.*
v5.0.0
v5.1.0
v5.2.0
v6.*
v6.0.0-ee
v6.0.0-ee.beta
v6.0.0-ee.rc1
v6.1.0-ee
v6.3.0-ee
v6.3.1-ee
v6.4.0-ee
v6.5.0-ee
v6.6.0-ee
v6.7.0-ee
v6.7.0.rc1-ee
v6.8.0-ee
v7.*
v7.0.0-ee
v7.1.0-ee
v7.1.0.rc1-ee
v7.2.0.rc1-ee
v7.2.0.rc2-ee
v7.2.0.rc3-ee
v7.2.0.rc4-ee
v7.2.0.rc5-ee
v7.3.0-ee
v7.3.0.rc1-ee

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-39908.json"